b'          U.S. Department of Energy\n          Office of Inspector General\n          Office of Audits and Inspections\n\n\n\n\nEvaluation Report\n\nThe Department of Energy\'s Unclassified\nCyber Security Program \xe2\x80\x93 2013\n\n\n\n\nDOE/IG-0897                          October 2013\n\x0c                                 Department of Energy\n                                    Washington, DC 20585\n\n                                        October 29, 2013\n\nMEMORANDUM FOR THE SECRETARY\n\nFROM:                    Gregory H. Friedman\n                         Inspector General\n\nSUBJECT:                 INFORMATION: Evaluation Report on "The Department of Energy\'s\n                         Unclassified Cyber Security Program \xe2\x80\x93 2013"\n\nBACKGROUND\n\nCyber security threats are a major concern for all Federal entities, including the Department of\nEnergy. Several recent cyber attacks against the Department\'s networks and systems have\nunderscored the importance and urgency of a strong cyber security program. For instance, a\nrecent attacker exploited a known vulnerability resulting in the compromise of personally\nidentifiable information for over 100,000 current and former employees, employee dependents\nand contractors.\n\nThe Federal Information Security Management Act of 2002 (FISMA) established the\nrequirement for Federal agencies to develop, implement and manage agency-wide information\nsecurity programs, and provide acceptable levels of security for the information and systems that\nsupport the operations and assets of the agency. Systems that support Federal missions and are\nfunded by the Department but managed or operated by contractors also fall under the purview of\nFISMA. As part of our responsibilities under FISMA, the Office of Inspector General conducts\nan annual independent evaluation to determine whether the Department\'s unclassified cyber\nsecurity program adequately protected its unclassified data and information systems. This report\ndocuments the results of our evaluation for Fiscal Year (FY) 2013.\n\nRESULTS OF EVALUATION\n\nThe Department had taken a number of positive steps over the past year to correct cyber security\nweaknesses related to its unclassified information systems. This included corrective actions to\nresolve 28 of the 38 conditions we identified during our FY 2012 evaluation. In addition, the\nDepartment established a senior leadership council to increase high-level visibility of cyber-\nrelated issues.\n\nIn spite of these efforts, we found that significant weaknesses and associated vulnerabilities\ncontinued to expose the Department\'s unclassified information systems to a higher than\nnecessary risk of compromise. While weaknesses identified as a result of Office of Inspector\nGeneral vulnerability scanning decreased somewhat during our FY 2013 evaluation, those\nrelated to general information technology controls increased. Our testing revealed various\nweaknesses related to security reporting, access controls, patch management, system integrity,\n\x0c                                                2\n\n\nconfiguration management, segregation of duties and security management. In total, we\ndiscovered 29 new weaknesses and confirmed that 10 weaknesses from the prior year\'s review\nhad not been resolved. These problems were spread across 11 of the 26 Department locations\nwhere we performed testing. Specifically:\n\n   \xe2\x80\xa2   We discovered 11 access control deficiencies at 8 facilities related to inadequate\n       management of user access privileges, inappropriate granting of physical access to\n       sensitive facilities, failure to implement multi-factor authentication for remote access and\n       use of default or easily guessed login credentials on servers or network services.\n\n   \xe2\x80\xa2   At five locations, we determined that weaknesses existed related to vulnerability\n       management of desktop computers and network systems. These findings were primarily\n       focused on vulnerable operating systems and applications that were missing security\n       updates and/or patches. Weaknesses of this sort directly contributed to the recent\n       compromise and exfiltration of personally identifiable information on over 100,000\n       individuals from one of the Department\'s systems.\n\n   \xe2\x80\xa2   Weaknesses related to system integrity of web applications, including improper\n       validation of input data and unsecured user authentication information that support\n       financial management and general support functions, were identified at six locations.\n\n   \xe2\x80\xa2   We identified five weaknesses related to configuration management at three locations.\n       The weaknesses included failure to develop or document an organizational configuration\n       management policy, inconsistent implementation of configuration change control\n       procedures and inadequate management of application change control processes.\n\n   \xe2\x80\xa2   At one site, we found weaknesses related to segregation of duties. Specifically,\n       established procedures governing the roles and responsibilities assigned to system users\n       were not always followed.\n\n   \xe2\x80\xa2   Finally, we identified several security management program weaknesses at three sites\n       associated with ensuring that all employees had taken security training, cyber security\n       incidents were reported, a system inventory was maintained, and audit logs were\n       reviewed.\n\nNotably, despite requirements established in FISMA implementing guidance promulgated by the\nOffice of Management and Budget, the Department had not included contractor\xe2\x80\x93owned/operated\nsystems when reporting performance metrics related to the health of its cyber security program to\nthe Department of Homeland Security. Specifically, the Department did not report detailed\nsecurity information for more than 450 systems operated by its contractors. Given the fact that\nthe majority of the vulnerabilities we discovered during this review and in past years involved\ncontractor-operated systems, such disclosures are both relevant and necessary.\n\nThe weaknesses we identified occurred, in part, because Department elements had not ensured\nthat policies and procedures were fully developed and implemented to meet all necessary cyber\nsecurity requirements. In addition, the Department continued to operate a less than fully\neffective performance monitoring and risk management program. For example, locations\n\x0c                                                3\n\n\nreviewed had not always followed program or site-level patch management policies and\nprocedures to ensure security updates were applied in a timely manner. Programs and sites also\nhad not consistently followed existing policies related to terminating or disabling user access\nwhen no longer needed. Furthermore, we found that 24 of the 38 (63 percent) weaknesses\nidentified in our prior year review were not tracked in the Department\'s Plan of Actions and\nMilestones. Absent improvements to its unclassified cyber security program, the Department\'s\ninformation and systems will continue to be at a higher than necessary risk of compromise. As\nsuch, we made several recommendations that, if fully implemented, should help the Department\nstrengthen its cyber security program.\n\nDue to the sensitive nature of the vulnerabilities identified during our evaluation, specific\ninformation and site locations have been omitted from this report. Site and program officials have\nbeen provided with detailed information regarding the vulnerabilities that were identified at their\nsites and, in many cases, initiated corrective actions to correct the identified deficiencies.\n\nWe are conducting a criminal investigation and a separate special inquiry into the July 2013\nintrusion and theft of personally identifiable information from the Department. The results of our\ninquiry will be reported separately.\n\nMANAGEMENT REACTION\n\nManagement concurred with the report\'s findings and recommendations and had taken and/or\ninitiated corrective actions. Management\'s comments and our response are summarized and more\nfully discussed in the body of the report. Management\'s formal comments are included in\nAppendix 3.\n\nAttachment\n\ncc: Deputy Secretary\n    Acting Under Secretary for Nuclear Security\n    Acting Under Secretary for Science and Energy\n    Acting Under Secretary for Management and Performance\n    Chief Information Officer\n    Acting Chief Financial Officer\n    Director, Office of Management\n\x0cEVALUATION REPORT ON THE DEPARTMENT OF ENERGY\'S\nUNCLASSIFIED CYBER SECURITY PROGRAM \xe2\x80\x93 2013\n\n\nTABLE OF\nCONTENTS\n\nSecurity Controls and Risk Management\n\nDetails of Finding ............................................................................................................................1\n\nRecommendations ............................................................................................................................8\n\nManagement Response and Auditor Comments ..............................................................................9\n\nAppendices\n\n1. Objective, Scope and Methodology .........................................................................................10\n\n2. Related Reports ........................................................................................................................12\n\n3. Management Comments ..........................................................................................................15\n\x0cTHE DEPARTMENT OF ENERGY\'S UNCLASSIFIED CYBER SECURITY\nPROGRAM \xe2\x80\x93 2013\n\nProgram Improvements\n\nThe Department of Energy (Department), including the National Nuclear Security\nAdministration (NNSA), had taken a number of steps over the past year to address previously\nidentified cyber security weaknesses and enhance its unclassified cyber security program. In\nparticular:\n\n    \xe2\x80\xa2    The Department had taken corrective action to resolve or mitigate a number of\n         previously identified vulnerabilities at 11 locations. Actions taken addressed weaknesses\n         related to access controls, configuration and vulnerability management, system integrity,\n         incident reporting and contingency planning. In fact, the number of weaknesses\n         identified during our current review that were attributable to technical system\n         vulnerabilities such as patch management had decreased by about one-third when\n         compared to last year\'s review.\n\n    \xe2\x80\xa2    The Department established an executive-level Cyber Council as the principal forum for\n         coordination of its cyber-related activities across the enterprise and for consideration of\n         issues requiring a decision by the Secretary of Energy. Such activities addressed\n         protecting the enterprise, including the Department\'s management and operating\n         contractors, from a range of cyber threats, bolstering the Government\'s capabilities to\n         address such threats, and improving cyber security in the electric power, oil and natural\n         gas subsectors. Membership in the Council consisted of executive-level leadership from\n         the Department\'s program and staff offices.\n\n    \xe2\x80\xa2    The Department\'s programmatic elements and field sites had made improvements in the\n         implementation of Homeland Security Presidential Directive-12 and the development of\n         a risk management approach for cyber security programs. For example, Department\n         Order 206.2, Identity, Credential, and Access Management, was issued in February 2013,\n         in response to our report on The Department of Energy\'s Implementation of Homeland\n         Security Presidential Directive 12 (DOE/IG-0860, February 2012). This directive\n         promulgated policy related to the issuance of credentials for uncleared contractors; an\n         issue identified in our February 2012 report. In addition, programs and sites continue to\n         work towards effective implementation of a risk management approach.\n\nAlthough the actions taken by the Department over the last year should help improve its cyber\nsecurity position, our current evaluation found that programs and sites must continue to remain\ncognizant of constantly changing and emerging threats and the potential impact these issues pose\nto unclassified information systems and data.\n\nSecurity Controls and Risk Management\n\nThe current evaluation identified an area of concern regarding the completeness of the\nDepartment\'s performance metrics reporting to the Department of Homeland Security related to\nthe health of its cyber security program. Although the Department had made progress correcting\n\n\n\nPage 1                                                                           Details of Finding\n\x0cdeficiencies we identified in our Fiscal Year (FY) 2012 evaluation, additional effort is needed to\nenhance its unclassified cyber security program and further mitigate the risks to its information\nand systems. Specifically, while the number of findings issued as a result of our vulnerability\nscanning decreased from our FY 2012 review, we identified an increased number of weaknesses\nrelated to general information technology controls than in past years.\n\nOur review of Under Secretary of Nuclear Security, Under Secretary for Science and Energy\nand Under Secretary for Management and Performance organizations identified various\nweaknesses related to security reporting, access controls, patch management, system integrity of\nweb applications, configuration management, segregation of duties and security management.\nBased on the results of our FY 2013 evaluation, 29 new weaknesses and 10 unresolved\nweaknesses from the prior year\'s review were identified at 11 of 26 locations included in our\ncurrent year evaluation.\n\n                                       Security Reporting\n\nThe Department\'s cyber security performance metric reporting, which is provided to the\nDepartment of Homeland Security under the requirements of the Federal Information Security\nManagement Act of 2002, did not include information related to Department funded, contractor\nmanaged/operated information systems. The Department reported in FY 2012 that 469 of its\n649 (72 percent) information systems belong to or are managed by contractors. However, the\ninformation provided to the Department of Homeland Security in response to the FY 2012\nperformance metrics stated that it was based only on Federal systems. Thus, the Department\nunderreported the results of its cyber security program in seven critical areas, including asset\nmanagement, configuration and vulnerability management, identity and access management and\ndata and boundary protection. This resulted in reduced visibility of the level of security over the\nvast majority of the Department\'s information systems, limiting the ability to implement an\neffective complex-wide risk management process. While a Department official told us that\nsecurity information for contractor systems would be reported beginning in FY 2013, we were\nunable to confirm whether this had occurred at the time of our review.\n\n                                         Access Controls\n\nAlthough the Department had taken action to correct a number of prior year access control\nweaknesses, we continued to identify issues related to logical and physical access controls at\nnumerous locations. Access controls consist of both physical and logical measures designed to\nprotect information resources from unauthorized modification, loss or disclosure. Controls must\nbe strong and functional to ensure that only authorized individuals can gain access to networks\nand systems or the facilities in which they are located. During our FY 2013 review, we\nidentified 12 access control deficiencies at 8 locations. In particular:\n\n   \xe2\x80\xa2   Eight account management weaknesses were identified at six locations, including\n       inadequately managed user access privileges and failure to perform periodic management\n       reviews of user accounts. For instance, access privileges at six locations were not\n       appropriately established, modified, reviewed, disabled and/or removed. All six locations\n       failed to remove terminated or inactive user accounts in a timely manner. One site had\n\nPage 2                                                                          Details of Finding\n\x0c       not disabled all inactive users who had not logged into the system within the past 60 days\n       despite the requirement to do so. At another site, user accounts with elevated privileges\n       remained active even though users had not logged in for more than 3 years.\n\n   \xe2\x80\xa2   One site had inappropriately granted physical access to a data center where information\n       systems were maintained. Specifically, an individual was granted access to the data\n       center when such access was not required to perform job duties. The individual had not\n       accessed the data center, and management took corrective action to remove this access\n       when we brought this matter to its attention.\n\n   \xe2\x80\xa2   Although one site had implemented tools necessary to ensure that remote access to its\n       network and information systems was secure or properly protected, several remote access\n       weaknesses were identified at the site. We found that multi-factor authentication for\n       privileged users had not been implemented, and full disk encryption security measures\n       had not been activated on mobile computers, including some that could potentially\n       contain sensitive data such as personally identifiable information. Furthermore, five\n       remote access accounts belonging to terminated users had not been properly disabled in a\n       timely manner.\n\n   \xe2\x80\xa2   One site had 11 network server systems and devices that were configured with default or\n       easily guessed login credentials or that required no authentication for access. These\n       configuration vulnerabilities could have allowed an attacker to obtain unauthorized\n       access to the affected devices and the data stored on them. Furthermore, some of the\n       vulnerabilities could have allowed malicious programs to attack other systems on the\n       internal network. Although the site had updated policies and procedures designed to\n       address the identified weakness, we noted that implementation of the policies and\n       procedures was not effective.\n\n   \xe2\x80\xa2   One site maintained seven servers/systems running network services that were configured\n       with open access settings that could have allowed remote systems to obtain access to data\n       on the system without the use of login credentials. Sensitive financial data and personnel\n       payroll information was accessible through one of those servers. Once the site became\n       aware of the issue, management took corrective action to restrict access and remove\n       sensitive data from servers that had open access settings.\n\n                                         Patch Management\n\nThe Department had made improvements in its patch management program since our prior year\nreview. However, we continued to identify issues related to patch management of desktop\ncomputers and network systems at six locations. The weaknesses consisted of varying degrees\nof vulnerable applications and operating systems missing security updates and/or patches,\nincluding 3 critical and more than 200 high-risk vulnerabilities. Site and management officials\ntold us that they had accepted the risks associated with many of the vulnerabilities; however,\nthey could not always provide documentation to support a risk acceptance decision. We also\nnoted that in a number of cases, compensating controls were insufficient to address the observed\nvulnerabilities. In particular:\n\nPage 3                                                                        Details of Finding\n\x0c   \xe2\x80\xa2   Scans of desktop systems at 17 locations revealed that 965 of 2,357 (41 percent) systems\n       were running operating systems and/or client applications without current security\n       patches for known vulnerabilities. The vulnerable client applications included media\n       players and productivity and remote access software and were missing security patches\n       for known vulnerabilities that had been released more than 30 days prior to our testing.\n       At one site, nearly every desktop system scanned contained outdated applications. Our\n       testing of workstations targeted users with elevated privileges and was a small subset of\n       all workstations at the sites reviewed. Therefore, we consider the results of our testing to\n       be very conservative.\n\n   \xe2\x80\xa2   More than 100 network systems tested were running operating systems and application\n       support platforms without current security patches or security configurations for known\n       vulnerabilities that were released more than 30 days prior to testing. We also identified\n       23 network server systems running operating system versions that were no longer\n       supported by the vendor.\n\nThe danger of unpatched systems was demonstrated in July 2013, when an unpatched application\nprovided the vector for attackers to breach a system at Headquarters containing significant\namounts of sensitive information. As a result, personally identifiable information for more than\n100,000 current and former employees, employee dependents and contractors was exfiltrated.\nWe are conducting a criminal investigation into this matter and are in the process of performing a\nspecial inquiry into the circumstances that contributed to the event. We will issue a separate\nreport detailing the results of our special inquiry.\n\n                             System Integrity of Web Applications\n\nWe identified eight weaknesses related to system integrity of web applications at six locations.\nOur performance testing found web applications \xe2\x80\x93 including financial, human resources and\ngeneral support applications \xe2\x80\x93 that did not perform validation procedures to determine whether\nthe form and content of input data was validated against an application\'s database. Effective\nvalidation procedures can ensure that changes made to information and programs are only\nallowed in a specified and authorized manner and that the system\'s operation is not impaired by\ndeliberate or inadvertent unauthorized manipulation, such as software flaws and malicious code.\nWe found:\n\n   \xe2\x80\xa2   At six locations, applications that accepted malicious input data could be used to launch\n       attacks against legitimate users, resulting in unauthorized access. Such attacks, referred\n       to as cross-site scripting, could result in a compromise of legitimate users\' workstations\n       and application login credentials. Notably, weaknesses at three of the six locations were\n       initially identified during prior year reviews, but had not been fully remediated and were\n       still considered vulnerable to the aforementioned attacks. Upon notification of our\n       findings, some sites had initiated and/or completed corrective actions.\n\n       Two locations stored unsecured user authentication information on the network. These\n       identifiers were accessible to any web server within the same network. Thus, unsecured\n       user authentication information stored in a user\'s web browser could be exposed to\n\nPage 4                                                                         Details of Finding\n\x0c       attackers or unauthorized users through attacks executed against any web server within\n       the network. These weaknesses could also allow an attacker to compromise legitimate\n       users\' workstations and application login credentials.\n\nUnsecured web applications, such as those identified during our testing, increase the risk of\nmalicious attacks that could result in unauthorized access to application functionality and\nsensitive data stored in the application.\n\n                                   Configuration Management\n\nWe identified five weaknesses related to configuration management of information systems at\nthree locations. The weaknesses involved inadequate implementation of configuration change\ncontrol procedures, failure to develop standard baseline configurations for all systems and\ninsufficient documentation of application change controls. Specifically:\n\n   \xe2\x80\xa2   At two sites, we found that configuration change control procedures had not been\n       implemented consistently even though procedures had been documented. For example,\n       we identified 15 changes to a firewall configuration at one site that were not in\n       accordance with configuration management plan procedures. In addition, officials at\n       another site had not documented, retained or reviewed information system changes. At\n       that site, we were unable to obtain or review changes implemented in FY 2013. As such,\n       we could not determine whether changes were adequately documented, tested and\n       approved prior to implementation.\n\n   \xe2\x80\xa2   One site had not developed or documented an organizational configuration management\n       policy and related procedures for managing hardware and software. Even though the site\n       maintained standard baseline configurations for centrally managed operating systems and\n       applications, we found that a minimum security configuration policy and requirements\n       for non-centrally managed systems had not been established or documented.\n\n   \xe2\x80\xa2   One site had weaknesses related to managing its application change control process.\n       Although the site used an application to track and monitor configuration changes, we\n       found that change requests for the application had not been documented and maintained.\n       Rather, all change requests had been made verbally to the developer, and no change\n       control forms had been completed. When informed of our findings, management took\n       corrective actions to update plans and procedures.\n\n                                      Segregation of Duties\n\nWe identified a weakness related to segregation of duties at one location. Specifically, several\nindividuals were assigned responsibilities that conflicted with the organization\'s documented\nseparation of duties rules. As an example, one individual was able to enter purchase order\ninformation and had accounts payable invoicing rights. In total, 12 individuals had been\nassigned roles that could have allowed an increased risk of unauthorized activities without\ncollusion when processing transactions. When informed of our findings, management took\ncorrective action to address the users\' conflicting roles.\n\nPage 5                                                                         Details of Finding\n\x0c                                      Security Management\n\nWe identified several security management weaknesses at three locations related to ensuring all\nemployees had taken security training, all cyber security incidents were reported, system\ninventories were maintained and audit logs were reviewed. In particular:\n\n   \xe2\x80\xa2   Two locations had not provided adequate security training to all employees. For\n       example, at one site, approximately 500 users had not taken a security training course\n       even though it was required by site-level policy. At another site, officials had not\n       identified individuals required to take specialized security training and ensured that such\n       training had occurred.\n\n   \xe2\x80\xa2   Two sites had weaknesses related to incident response, asset management and audit\n       logging and monitoring. Specifically, we found that lost or potentially stolen information\n       technology equipment at one site had not been properly reported by the site to the\n       Department\'s Joint Cyber Security Coordination Center. Another location had not\n       maintained a complete inventory of all information systems and had not reviewed system\n       logs to identify anomalies in access or activity.\n\nPolicies and Procedures, Performance Monitoring and Risk Management\n\nThe weaknesses identified occurred because Department elements had not ensured that policies\nand procedures were fully developed and implemented to meet all necessary cyber security\nrequirements. In addition, the Department continued to operate a less than fully effective\nperformance monitoring and risk management program.\n\n                                     Policies and Procedures\n\nConsistent with our prior year reviews, sites developed cyber security policies and procedures\nthat were inadequate or did not always satisfy Federal or Department security requirements. For\ninstance, we noted that policies and procedures at certain locations did not clearly designate the\nresponsible parties for reporting lost or stolen laptops, resulting in security incidents not being\nreported in a timely manner. Similar issues were identified in our Follow-up Audit of the\nDepartment\'s Cyber Security Incident Response Program (DOE/IG-0878, December 2012).\n\nEven when in place, policies and procedures were not always fully implemented. For instance,\nlocations reviewed had not always followed program or site-level patch management policies\nand procedures to ensure security updates were applied in a timely manner. Furthermore,\nprograms and sites had not consistently followed existing policies related to terminating or\ndisabling user access when no longer needed. In one instance, although the site\'s policies\nrequired deletion or deactivation of user accounts that had been inactive for 180 days, we found\nthat more than 100 accounts were active for more than 6 months even though they were unused.\nIn addition, we found that some sites had updated policies and procedures related to security\ntraining, but these changes had not always been fully implemented to ensure all users were\ntrained.\n\n\nPage 6                                                                          Details of Finding\n\x0c                         Performance Monitoring and Risk Management\n\nThe Department continued to operate a less than fully effective performance monitoring and risk\nmanagement program. In particular, many of the programs and sites reviewed had not fully\nimplemented an effective process to ensure security patch management processes for desktop\ncomputers, network devices and applications were working as designed. For instance, we found\nthat vulnerability management programs at numerous locations were not always effective in\nremediating missing security updates for critical vulnerabilities in operating systems and\napplications installed on network systems and/or workstations. In addition, many of the web\napplication vulnerabilities we identified occurred because programs and sites had not\nimplemented effective processes to ensure that controls were in place to identify and prevent\napplication integrity issues. At two sites where prior year weaknesses remained, input data\nvalidation safeguards had not been effectively developed and implemented as part of application\nfunctionality. As the Department continues its efforts to implement a cyber security continuous\nmonitoring program, it is essential that adequate performance monitoring mechanisms are in\nplace.\n\nContrary to Federal requirements, we also found that plans of action and milestones were not\nalways effectively used as a monitoring tool to report, prioritize and track cyber security\nweaknesses. The use of plans of action and milestones is an important mechanism to identify\nand manage progress towards eliminating gaps between required security controls and those that\nare actually in place. However, we found:\n\n    \xe2\x80\xa2    Although many of the sites reviewed tracked weaknesses at a local level, cyber security\n         deficiencies identified during our FY 2012 review were not always included. In\n         particular, 22 of 38 (58 percent) weaknesses identified last year were not tracked in the\n         plans of action and milestones submitted to the Office of the Chief Information\n         Officer. As a result, these issues were not reported to the Office of Management and\n         Budget, as required. Perhaps more importantly, the Department\'s Chief Information\n         Officer did not have visibility over the critical weaknesses in the Department\'s cyber\n         security program. We also noted that plans of action and milestones did not contain all\n         cyber security weaknesses identified in numerous security related Office of Inspector\n         General reports.\n\n    \xe2\x80\xa2    As compared to our FY 2012 evaluation, we noted an increase in the number of open\n         milestones in the plans of actions and milestones that were beyond the projected\n         remediation date. Specifically, we determined that 467 of 921 (51 percent) open\n         milestones were beyond the projected remediation date, including 133 open milestones\n         that were at least 1 year beyond the estimated remediation date.\n\nWe also identified several concerns related to the ability to implement risk management\npractices. For example, one site had not completed documentation supporting its risk\nmanagement process and acceptance of risk associated with web application vulnerabilities. The\nsite also had not documented residual risk, business justifications and mitigations for\nvulnerabilities that were identified by system scanning tools. In addition, we found that\nDepartment officials misunderstood a Department of Homeland Security memorandum that led\n\nPage 7                                                                          Details of Finding\n\x0cthem to report only limited information on contractor systems, resulting in reduced visibility of\nsecurity over the vast majority of the Department\'s information systems and limiting the ability\nto implement an effective complex-wide risk management process. According to a Department\nofficial, security information for contractor systems will be reported beginning in FY 2013;\nhowever, at the time of our review, we were unable to confirm whether this had occurred. As the\nDepartment continues its efforts to rely on contractor assurance processes for monitoring the\neffectiveness of programs, it is essential that adequate performance monitoring mechanisms are\nin place.\n\nRisk to Information and Systems\n\nAs in years past, we note that without changes to improve the operation of its cyber security\nprogram, including implementing effective policies and procedures and enhancing performance\nmonitoring, the Department\'s information systems and data will continue to be at risk. Recently,\nthis point was made clear when an unpatched Department application was exploited, allowing\nattackers to breach a Headquarters\' system and exfiltrate personally identifiable information for\nmore than 100,000 current and former Department employees, employee dependents and\ncontractors.\n\nIn addition, without knowledge of security over contractor operated systems, the Department\'s\ninformation and systems will continue to be at risk as threats constantly change. Although\nprograms and sites had implemented mitigating controls in certain instances, we found that the\nweaknesses identified during our review could potentially be exploited by attackers. As such,\neffective remediation of the weaknesses identified during our review should help the Department\nstrengthen its cyber security program. The remediation process could be further improved\nthrough effective implementation of the plan of actions and milestones process. Comprehensive\nplan of actions and milestones would allow officials to identify security risks and determine what\ntype of action should be taken to address them in an efficient and prioritized manner.\n\nRECOMMENDATIONS\n\nTo improve the Department\'s unclassified cyber security program and to correct the weaknesses\nidentified in this report, we recommend that the Under Secretary of Nuclear Security, Under\nSecretary for Science and Energy and Under Secretary for Management and Performance, in\ncoordination with the Department\'s and National Nuclear Security Administration\'s Chief\nInformation Officers, where appropriate:\n\n   1. Correct, through the implementation of appropriate controls, the weaknesses identified\n      within this report;\n\n   2. Ensure that policies and procedures are developed, as needed, and are implemented in\n      accordance with Federal and Department requirements to adequately secure systems and\n      applications;\n\n   3. Ensure that effective performance monitoring practices are implemented to assess overall\n      performance for protecting information technology resources;\n\nPage 8                                                                     Recommendations\n\x0c   4. Fully develop and use plans of actions and milestones to prioritize and track remediation\n      of all cyber security weaknesses requiring corrective actions; and\n\n   5. Ensure that the Department includes information for both Federal and contractor systems\n      when reporting the status of performance metrics annually to the Department of\n      Homeland Security.\n\nMANAGEMENT RESPONSE\n\nDepartment management concurred with each of the report\'s recommendations and indicated that\ncorrective actions would be identified and tracked in the appropriate plans of action and\nmilestones. For instance, the Office of the Chief Information Officer indicated that it is piloting\nan automated tool to provide a centralized repository for tracking program and system-level\ncyber security weaknesses and remediation activities. In addition, management commented that\nit enhanced performance monitoring activities and will include both Federal and contractor\ncompliance information as part of the FY 2013 reporting to the Office of Management and\nBudget. In separate comments, NNSA management concurred with the recommendations and\nplanned to take corrective actions to resolve the weaknesses identified in our report.\n\nAUDITOR COMMENTS\n\nManagement\'s comments were responsive to our recommendations. Management\'s comments\nare included in Appendix 3.\n\n\n\n\nPage 9                                      Management Response and Auditor Comments\n\x0cAppendix 1\n\n                      OBJECTIVE, SCOPE AND METHODOLOGY\nOBJECTIVE\n\nTo determine whether the Department of Energy\'s (Department) unclassified cyber security\nprogram adequately protected its data and information systems.\n\nSCOPE\n\nWe conducted the evaluation from February 2013 to October 2013 at 26 Department locations\nunder the responsibility of the Under Secretary of Nuclear Security, Under Secretary for Science\nand Energy and the Under Secretary for Management and Performance. The focus of our\nevaluation was the Department\'s unclassified cyber security program. This work involved a\nlimited review of general and application controls in areas such as security management, access\ncontrols, configuration management, segregation of duties and contingency planning. Where\nvulnerabilities were identified, the evaluation did not include a determination of whether the\nvulnerabilities were actually exploited.\n\nMETHODOLOGY\n\nTo accomplish the audit objective, we:\n\n   \xe2\x80\xa2   Reviewed Federal regulations and Department directives pertaining to information and\n       cyber security.\n\n   \xe2\x80\xa2   Reviewed applicable standards and guidance issued by the National Institute of Standards\n       and Technology for the planning and management of system and information security.\n\n   \xe2\x80\xa2   Obtained and analyzed documentation from Department programs and selected sites\n       pertaining to the planning, development and management of cyber security related\n       functions such as cyber security plans, plans of action and milestones and budget\n       information.\n\n   \xe2\x80\xa2   Held discussions with officials from the Department and the National Nuclear Security\n       Administration.\n\n   \xe2\x80\xa2   Assessed controls over network operations and systems to determine the effectiveness\n       related to safeguarding information resources from unauthorized internal and external\n       sources.\n\n   \xe2\x80\xa2   Evaluated selected Headquarters\' offices and field sites in conjunction with the annual\n       audit of the Department\'s Consolidated Financial Statements, utilizing work performed\n       by KPMG, LLP (KPMG), the Office of Inspector General\'s contract auditor. Office of\n       Inspector General and KPMG work included analysis and testing of general and\n       application controls for systems, as well as vulnerability and penetration testing of\n       networks.\n\n\nPage 10                                                  Objective, Scope and Methodology\n\x0cAppendix 1 (continued)\n\n   \xe2\x80\xa2   Evaluated and incorporated the results of other cyber security review work performed by\n       the Office of Inspector General, KPMG, the U.S. Government Accountability Office and\n       the Office of Health, Safety and Security\'s Office of Enforcement and Oversight.\n\nWe conducted this evaluation in accordance with generally accepted Government auditing\nstandards. Those standards require that we plan and perform the review to obtain sufficient,\nappropriate evidence to provide a reasonable basis for our findings and conclusions based on our\nobjective. We believe the evidence obtained provides a reasonable basis for our findings and\nconclusions based on our objective. Accordingly, we assessed significant internal controls and\ncompliance with laws and regulations to the extent necessary to satisfy the audit objective. In\nparticular, we assessed the Department\'s implementation of the GPRA Modernization Act of\n2010 and determined that it had established performance measures for its information and cyber\nsecurity program. Because our evaluation was limited, it would not necessarily have disclosed\nall internal control deficiencies that may have existed at the time of our audit. We did not solely\nrely on computer-processed data to satisfy our objective. However, computer assisted audit tools\nwere used to perform scans of various networks and drives. We validated the results of the scans\nby confirming the weaknesses disclosed with responsible on-site personnel and performed other\nprocedures to satisfy ourselves as to the reliability and competence of the data produced by the\ntests. In addition, we confirmed the validity of other data, when appropriate, by reviewing\nsupporting source documents.\n\nThe Office of the Chief Information Officer and the National Nuclear Security Administration\nboth waived an exit conference.\n\n\n\n\nPage 11                                                    Objective, Scope and Methodology\n\x0cAppendix 2\n\n                                    RELATED REPORTS\n\nOffice of Inspector General Reports\n\n   \xe2\x80\xa2   Audit Report on Management of the Naval Reactors\' Cyber Security Program (DOE/IG-\n       0884, April 2013). The Office of Inspector General (OIG) found that, although the Naval\n       Reactors Program (Naval Reactors) had made a number of enhancements to its cyber\n       security program over the past year, we identified weaknesses related to vulnerability\n       management, access controls, incident response and security awareness training that\n       could negatively affect its security posture. The weakness identified occurred, in part,\n       because Naval Reactors had not ensured that necessary cyber security controls were fully\n       implemented. Specifically, officials had not fully developed and/or implemented policies\n       and procedures related to vulnerability management, access controls, incident response\n       and cyber security training. In addition, Naval Reactors had not always effectively\n       utilized plans of action and milestones to track, prioritize and remediate cyber security\n       weaknesses.\n\n   \xe2\x80\xa2   Audit Report on Management of Los Alamos National Laboratory\'s Cyber Security\n       Program (DOE/IG-0880, February 2013). The OIG found that Los Alamos National\n       Laboratory (Los Alamos) had taken steps to address concerns regarding its cyber security\n       program raised in prior evaluations. However, we identified continuing concerns related\n       to Los Alamos\' implementation of risk management, system security testing and\n       vulnerability management practices. The issues identified occurred, in part, because of a\n       lack of effective monitoring and oversight of Los Alamos\' cyber security program by the\n       Los Alamos Site Office, including approval of practices that were less rigorous than those\n       required by Federal directives. In addition, we found that Los Alamos\' Information\n       Technology Directorate had not followed National Nuclear Security Administration\n       policies and guidance for assessing system risk and had not fully implemented the\n       Laboratory\'s own policy related to ensuring that scanning was conducted to identify and\n       mitigate security vulnerabilities in a timely manner.\n\n   \xe2\x80\xa2   Report on Management Letter on the Audit of the Department of Energy\'s Consolidated\n       Financial Statements for Fiscal Year 2012 (DOE/OAS-FS-13-08, January 2013). Based\n       on the audit of the consolidated financial statements of the Department of Energy\n       (Department) for the year ended September 30, 2012, we found unclassified network and\n       information system security to be an area where there were significant deficiencies in\n       internal controls. We noted network vulnerabilities and weaknesses in access and other\n       security controls in the Department\'s unclassified computer information systems. The\n       identified weaknesses and vulnerabilities increased the risk that malicious destruction or\n       alteration of data or unauthorized processing could occur. The Department should fully\n       implement policies and procedures to improve its network and information systems\n       security.\n\n\n\n\nPage 12                                                                        Related Reports\n\x0cAppendix 2 (continued)\n\n  \xe2\x80\xa2   Audit Report on Follow-up Audit of the Department\'s Cyber Security Incident\n      Management Program (DOE/IG-0878, December 2012). The OIG found that although\n      certain actions had been taken in response to our prior audit report, we identified\n       several issues that limited the efficiency and effectiveness of the Department\'s cyber\n      security incident management program and adversely impacted the ability of law\n      enforcement to investigate incidents. The issues identified were due, in part, to the lack\n      of a unified, Department-wide cyber security incident management strategy. In addition,\n      changes to the Department\'s Incident Management policy and guidance may have\n      adversely impacted overall incident management and response by law enforcement and\n      counterintelligence officials. Also, we found that incident reporting to law enforcement\n      was not always timely or complete, which hindered investigations into events. In the\n      absence of an effective enterprise-wide cyber security incident management program, a\n      decentralized and fragmented approach has evolved that places the Department\'s\n      information systems and networks at increased risk.\n\n  \xe2\x80\xa2    Evaluation Report on The Department\'s Unclassified Cyber Security Program \xe2\x80\x93 2012\n      (DOE/IG-0877, November 2012). The OIG found that the Department had taken steps\n      over the past year to address previously identified cyber security weaknesses and enhance\n      its unclassified cyber security programs. The overall number of identified vulnerabilities\n      decreased from 56 weaknesses in the prior year\'s evaluation to 38 in 2012. Although the\n      number of vulnerabilities identified was reduced, the types and severity of weaknesses\n      continued to persist and remained consistent with prior years. The weaknesses involved\n      problems with access controls, vulnerability management, integrity of web applications,\n      planning for continuity of operations and change control management. The weaknesses\n      identified occurred, in part, because Department elements had not ensured that cyber\n      security requirements were fully developed and implemented. In addition, programs and\n      sites had not always effectively monitored performance to ensure that appropriate\n      controls were in place.\n\n  \xe2\x80\xa2   Audit Report on Management of Western Area Power Administration\'s Cyber Security\n      Program (DOE/IG-0873, October 2012). The OIG found the Western Area Power\n      Administration had made a number of enhancements to its cyber security program\n      since OIG\'s prior review. However, several weaknesses related to vulnerability\n      management and security controls existed that could negatively impact its cyber security\n      posture. Specifically, Western Area Power Administration had not always implemented\n      cyber security controls designed to address known system vulnerabilities and ensured that\n      access controls designed to protect its information systems and data were in place. The\n      weaknesses identified occurred, in part, because Western Area Power Administration had\n      not always implemented policies and procedures related to vulnerability and patch\n      management. Specifically, while cyber security officials conducted regular scans on two\n      of the systems reviewed, they did not always identify and correct known vulnerabilities.\n      In addition, officials had not fully implemented policies and procedures related to\n      managing access to systems and information, including deactivating and/or disabling\n      unneeded user accounts in a timely manner.\n\n\n\n\nPage 13                                                                       Related Reports\n\x0cAppendix 2 (continued)\n\n   \xe2\x80\xa2   Special Report on Management Challenges at the Department of Energy \xe2\x80\x93Fiscal Year\n       2013 (DOE/IG-0874, October 2012). Based on the work performed during Fiscal Year\n       (FY) 2012, the OIG identified nine areas, including cyber security, which remained a\n       management challenge for FY 2013.\n\n   \xe2\x80\xa2   Audit Report on The Department of Energy\'s Implementation of Homeland Security\n       Presidential Directive 12 (DOE/IG-0860, February 2012). The OIG found that, despite 7\n       years of effort and expenditures of more than $15 million, the Department had yet to\n       meet all Homeland Security Presidential Directive 12 (HSPD-12) requirements. In\n       particular, the Department had not fully implemented physical and logical access controls\n       in accordance with HSPD-12. Furthermore, the Department had not issued HSPD-12\n       credentials to many uncleared contractor personnel at its field sites. We noted what we\n       considered to be a lack of a coordinated approach among programs and sites related to\n       implementation of HSPD-12 requirements. In particular, we found that guidance\n       provided by management was fragmented and often inadequate to meet the goals of the\n       initiative. In addition, ongoing efforts suffered from lack of coordination among\n       programs and sites to determine the cost, scope and schedule of work required to\n       implement HSPD-12 requirements. Several programs and sites visited also had not\n       established budgets in an attempt to obtain funding to support HSPD-12 activities.\n\n   \xe2\x80\xa2   Audit Report on The Department\'s Configuration Management of Non-Financial Systems\n       (DOE/OAS-M-12-02, February 2012). The OIG found the Department had not\n       implemented sufficient controls over its configuration management processes for non-\n       financial systems. Specifically, security patches designed to mitigate system\n       vulnerabilities had not been applied in a timely manner for desktops, applications and\n       servers. In addition, organizations and sites reviewed had not always followed effective\n       procedures to ensure that changes to systems and applications were properly tested and\n       approved prior to implementation.\n\nGovernment Accountability Office Reports\n\n   \xe2\x80\xa2   CYBERSECURITY: A Better Defined and Implemented National Strategy Is Needed to\n       Address Persistent Challenges (GAO-13-462T, March 2013)\n\n   \xe2\x80\xa2   HIGH-RISK SERIES: An Update (GAO-13-283 and GAO-13-359T, February 2013)\n\n   \xe2\x80\xa2   CYBERSECURITY: National Strategy, Roles, and Responsibilities Need to Be Better\n       Defined and More Effectively Implemented (GAO-13-187, February 2013)\n\n   \xe2\x80\xa2   IT SUPPLY CHAIN: National Security-Related Agencies Need to Better Address Risks\n       (GAO-12-361, March 2012)\n\n   \xe2\x80\xa2   SOCIAL MEDIA: Federal Agencies Need Policies and Procedures for Managing and\n       Protecting Information They Access and Disseminate (GAO-11-605, June 2011)\n\n\n\nPage 14                                                                       Related Reports\n\x0cAppendix 3\n\n             MANAGEMENT COMMENTS\n\n\n\n\nPage 15                            Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 16                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 17                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 18                  Management Comments\n\x0cAppendix 3 (continued)\n\n\n\n\nPage 19                  Management Comments\n\x0c                                                                    IG Report No. DOE/IG-0897\n\n                           CUSTOMER RESPONSE FORM\n\n\nThe Office of Inspector General has a continuing interest in improving the usefulness of its\nproducts. We wish to make our reports as responsive as possible to our customers\' requirements,\nand, therefore, ask that you consider sharing your thoughts with us. On the back of this form,\nyou may suggest improvements to enhance the effectiveness of future reports. Please include\nanswers to the following questions if applicable to you:\n\n     1. What additional background information about the selection, scheduling, scope, or\n        procedures of the audit or inspection would have been helpful to the reader in\n        understanding this report?\n\n     2. What additional information related to findings and recommendations could have been\n        included in the report to assist management in implementing corrective actions?\n\n     3. What format, stylistic, or organizational changes might have made this report\'s overall\n        message more clear to the reader?\n\n     4. What additional actions could the Office of Inspector General have taken on the issues\n        discussed in this report that would have been helpful?\n\n     5. Please include your name and telephone number so that we may contact you should we\n        have any questions about your comments.\n\n\nName                                          Date\n\nTelephone                                     Organization\n\nWhen you have completed this form, you may telefax it to the Office of Inspector General at\n(202) 586-0948, or you may mail it to:\n\n                               Office of Inspector General (IG-1)\n                                     Department of Energy\n                                    Washington, DC 20585\n\n                                  ATTN: Customer Relations\n\nIf you wish to discuss this report or your comments with a staff member of the Office of\nInspector General, please contact our office at (202) 253-2162.\n\x0cThis page intentionally left blank.\n\x0cThe Office of Inspector General wants to make the distribution of its reports as customer friendly and cost\n  effective as possible. Therefore, this report will be available electronically through the Internet at the\n                                             following address:\n\n                   U.S. Department of Energy Office of Inspector General Home Page\n\n                                           http://energy.gov/ig\n\n      Your comments would be appreciated and can be provided on the Customer Response Form.\n\x0c'